Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-git/go-git/v5	v5.18.0 → v5.19.0

---

go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

CVE-2026-45022 / GHSA-389r-gv7p-r3rp

More information

Details

Impact

go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.

Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.

This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed.

Patches

Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Credit

Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @​wlynch, @​patzielinski and @​adityasaky for coordinating the disclosure with the go-git project. 🙇 🥇

Thanks to @​wayphinder for reporting this to the go-git project. 🙇

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References

• https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp
• https://github.com/advisories/GHSA-389r-gv7p-r3rp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.19.0

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​2010
• v5: Bump sha1cd and go-billy by @​pjbgf in #​2060
• v5: Align object encoding with upstream by @​pjbgf in #​2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
github.com/go-git/go-billy/v5	v5.8.0 -> v5.9.0
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.1
github.com/pjbgf/sha1cd	v0.3.2 -> v0.6.0
golang.org/x/crypto	v0.45.0 -> v0.50.0
golang.org/x/net	v0.47.0 -> v0.53.0
golang.org/x/sys	v0.38.0 -> v0.43.0